Salt Typhoon, a Chinese threat actor also known by aliases such as Earth Estries, FamousSparrow, GhostEmperor, and UNC2286, has been conducting cyber-espionage activities against high-value government and telecommunications organizations for several years. Recently, it introduced a new backdoor malware named GhostSpider.
According to Trend Micro, the APT group Earth Estries has the capability to deploy a variety of powerful payloads within targeted networks. These include:
- Masol RAT: A cross-platform tool used against Linux servers in Southeast Asian governments.
- SnappyBee (aka Deed RAT): A modular tool.
- GhostSpider: A newly discovered, highly modular backdoor adaptable to various attack scenarios.
- Demodex: A rootkit.
Trend Micro also speculates that Salt Typhoon might have used Inc ransomware in some of its operations.It’s been engaging in a long-term espionage against governments and other targets since 2020. However, around mid-2022, they shifted tactics. Previously focused on employee phishing, they now target Internet-facing devices, exploiting n-day vulnerabilities, and open ports or protocols to gain access.
The group’s favourite vulnerabilities have been dangerous, including:
- The SQL injection bug CVE-2024-48788, which affects the Fortinet Enterprise Management Server (EMS)
- CVE-2022-3236, a code injection issue in Sophos Firewalls
- CVE-2023-46805 and CVE-2024-21887, which pair to allow privileged, arbitrary command execution in Ivanti’s Connect Secure VPN
- The four Microsoft Exchange vulnerabilities involved in Proxy Logon
Salt Typhoon often avoids direct exploitation of vulnerabilities within target networks, opting for more strategic methods. Since 2023, it has targeted organizations across four continents, including countries like Afghanistan, India, Eswatini, and the US, with a focus on Southeast Asia.
Victims include telecommunications, technology, consulting, chemical, transportation, and nonprofit sectors, with a special emphasis on government agencies. Some targets, such as NGOs, may serve as intermediaries for further attacks on more critical entities. In 2023, researchers noted Salt Typhoon compromising consulting firms and NGOs associated with the US government and military to facilitate more effective breaches.
Since 2023, Salt Typhoon has compromised over 20 high-profile organizations worldwide, often undetected for extended periods. Their recent targets include U.S. telecommunications companies like T-Mobile USA and ISPs across North America. There is a much speculation on the recent T-Mobile breach in which multiple sources attributing it to the Salt Typhoon
As per the latest statement from T-Mobile in its website
To address some misleading media reports, here’s our current situation, which may differ from other providers’ experiences:
- Recent Infiltration Attempts: Over the past few weeks, we detected attempts to infiltrate our systems originating from a wireline provider’s network connected to ours. This is a first-time occurrence.
- Defensive Measures: Our defenses successfully protected sensitive customer information, prevented service disruption, and halted the attack. No sensitive customer data (calls, voicemails, or texts) was accessed by the bad actors.
- Network Disconnection: We swiftly severed connectivity to the compromised provider’s network and continue to monitor for threats.
- Current Status: There are no signs of these or other attackers in our systems at this time.
- Attacker Identification: We cannot definitively identify the attackers, whether it is Salt Typhoon or another group, but have reported our findings to the government for further assessment.
“Our defenses, including layered network design, robust monitoring, and collaborations with third-party cybersecurity experts, successfully prevented attackers from advancing and accessing sensitive customer information. Other providers might be experiencing different outcomes. We have shared our findings with industry and government leaders to combat these sophisticated threats.”
